--- - hosts: krypton.n39.eu become: true vars: ansible_python_interpreter: /usr/bin/python3 data_dir: "/srv/data" dehydrated_certs_dir: "/usr/local/etc/dehydrated" docker_ip_ranges: ["172.16.0.0/12", "192.168.0.0/16"] openldap_image_version: 1.5.0 openldap_data: "{{ data_dir }}/openldap" openldap_domain: "ldap.n39.eu" ldap_domain: "netz39.de" ldap_org: "Netz39 e.V." ldap_base_dn: "dc=netz39,dc=de" roles: - role: docker_setup vars: docker_data_root: "/srv/docker" - role: apache - role: apache-letsencrypt # Uses configuration from dehydrated setup - role: ansible-role-dehydrated vars: dehydrated_contact_email: "{{ server_admin }}" dehydrated_domains: - role: penguineer.dehydrated_cron tasks: # - name: Setup dehydrated challenge endpoint for {{ openldap_domain }} # include_role: # name: setup-http-dehydrated # vars: # site_name: "{{ openldap_domain }}" - name: Ensure openLDAP directories are present. file: path: "{{ item }}" state: directory with_items: - "{{ openldap_data }}/ldap" - "{{ openldap_data }}/slapd" - "{{ openldap_data }}/ldif" - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}" - name: Ensure container for openLDAP is running. docker_container: name: openLDAP image: "osixia/openldap:{{ openldap_image_version }}" detach: yes state: started restart_policy: unless-stopped container_default_behavior: no_defaults pull: true env: LDAP_LOG_LEVEL: "256" LDAP_ORGANISATION: "{{ldap_org}}" LDAP_DOMAIN: "{{ldap_domain}}" LDAP_BASE_DN: "{{ldap_base_dn}}" LDAP_READONLY_USER: "false" LDAP_ADMIN_PASSWORD: "{{ldap_admin_password}}" # LDAP_CONFIG_PASSWORD: "{{ldap_config_password}}" LDAP_RFC2307BIS_SCHEMA: "true" LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0" LDAP_REPLICATION: "no" KEEP_EXISTING_CONFIG: "false" LDAP_REMOVE_CONFIG_AFTER_SETUP: "true" published_ports: - "389:389" # unencrypted/STARTTLS - "636:636" # SSL volumes: - "{{ openldap_data }}/ldap:/var/lib/ldap" - "{{ openldap_data }}/slapd:/etc/ldap/slapd.d" - "{{ dehydrated_certs_dir }}/certs/{{ openldap_domain }}:/container/service/slapd/assets/certs" - "{{ openldap_data }}/ldif/custom-element.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/01_netz39.ldif" timeout: 500 command: "--copy-service --loglevel debug" - name: Ensure UFW is installed ansible.builtin.package: name: ufw state: present - name: Allow access to openLDAP from local docker container [1/2] become: true community.general.ufw: rule: allow port: '389' proto: tcp from: "{{ item }}" comment: LDAP Docker Access loop: "{{ docker_ip_ranges }}" - name: Allow access to openLDAP from local docker container [2/2] become: true community.general.ufw: rule: allow port: '636' proto: tcp from: "{{ item }}" comment: LDAP Docker Access loop: "{{ docker_ip_ranges }}" handlers: